Don’t Use MD5
“The hashing alone being MD5 tells me that they really don’t care about their passwords too much, so it’s probably some pre-generated site.”
That was from this article on an Anatomy of a Hack. It’s an interesting quote, and it shows a few things.
First, we have a history issue with our frameworks and the lack of updates as we learn more about a technology, or circumstances change. This could be that frameworks are not being updated. It could be that developers are not updating their frameworks. It could be that they are downloading the wrong versions.
The bottom line is that older technologies, those that have vulnerabilities, are still being used. If you use encryption for passwords, don’t use MD5, and I’d say that SHA1 is a bad idea. If you are on a version of SQL Server prior to 2012, SHA2 is not available, but with the SQL CLR and SHA2 in .NET, you can write your own.